Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.


Find Local Administrative Accounts

It may be useful to do a search for local administrative accounts in your device fleet. You could grab timestamps of when accounts were created to gain more insight.

SELECT username, groupname, type, u.UID, g.GID, Description, comment
FROM users u
JOIN user_groups ug ON ug.UID = u.UID
JOIN groups g ON g.GID = ug.GID
WHERE g.GROUPNAME = "Administrators"
AND u.type = "local";

  • Very useful!

    Is it possible to develop this further to also include groups that are a members of the Local Administrators group and not just the users?  Although i think this should be simple enough I haven't managed it yet.  Failing that, is it possible to create a second query to report on the groups only that we could use with the script above?